[Swan] No PARENT proposal selected

Paul Wouters paul at nohats.ca
Thu Dec 24 05:10:10 UTC 2015


On Sat, 10 Oct 2015, Bob Miller wrote:

> Matt,
>
> Thank you sooo much for giving me a proper interpretation, probably saved me 
> a pile of time chasing that to no conclusion.

> for that matter, I am not sure that my assessment that windows is providing 
> too low a level of OAKLEY_GROUP_MODP is correct.


It seems that is correct and Windows, at least in some configurations,
only proposed modp1024 in IKEv2, which libreswan no longer allows in its
default proposal. You will need an ike= line that matches the windows
proposal, possibly: ike=aes128-sha1;modp1024

>  I tried adding a few lines 
> like ike=3des-sha1;modp1024 to my conn, but all the things I tried seemed to 
> get stuck at STATE_PARENT_R1.

You need to fix the ike= line, not the esp= line.

Paul


More information about the Swan mailing list